The bug was discovered by Ryan Whitworth, who probed the software using Fuzzy Lop.

It's explained in this thread: “when mailimf_group_parse() parses a header line containing list of addresses (e.g. "Cc"), it sometimes fails, and by the time it gets to calling mailimf_group_new(display_name, mailbox_list), the pointer mailbox_list is still pointing to NULL. The code doesn't check for this outcome.”

The bug didn't live long enough to get a proof-of-concept, but as noted in the thread, segfaults like this are often exploitable.